I’m assuming “PPSK” is some sort of WPA2-Personal implementation that uses individual passwords per user, rather than a single PSK? I think I’ve heard of this from Aerohive and Ruckus; are there other vendors who have it?
Steve Bohrer Network Admin, ITS Bard College at Simon's Rock 413-528-7645 > On Sep 10, 2015, at 11:06 AM, Paul Sedy <rps...@masters.edu> wrote: > > I will do the same and log a request with Cisco on PPSK type technology… I > would love to see a simpler solution that we could deploy as well. > > Paul Sedy > The Master’s College > Director of IT Operations > 21726 Placerita Canyon Rd, Santa Clarita, CA 91321 > 661.362.2340 | rps...@masters.edu <mailto:rps...@masters.edu> > #private > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook > Sent: Wednesday, September 09, 2015 11:47 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > I’ve launched a request at Cisco to implement something like PPSK. Perhaps > if enough places request this from there vendors we might get something in. > I’ve logged a TAC case, spoken to the local cisco team and an operations > manager, not sure what other paths there is. <> > > It does seem to be something that provides a reasonable solution to fall-back > to when 802.1x isn’t an option. We currently do it with a PSK but I’m waiting > on that day when the key needs changing. Not so worried about the dorms, I > think we can manage that as we can contact the users very easily (though PPSK > would still be a better option). > > But the on-campus random devices which is still only a handful could be quite > a pain to track them all down and there would be a good period of time with > certain devices not working. There’s nothing major relying on this, but it is > still work that will need to be done that wouldn’t have to be if they were > 802.1x or we had a PPSK like option. > > -- > Jason Cook > The University of Adelaide, AUSTRALIA 5005 > Ph : +61 8 8313 4800 > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jeffrey D. Sessler > Sent: Saturday, 5 September 2015 6:35 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > Is the student’s “residence” in this case any different than a VP who travels > and uses hotel WiFi, the hotel being their residence most of the time? Are we > asking the student to do something we wouldn’t require of the VP in the hotel? > > This is why something like Areohive’s PPSK (private pre-shared key) is > interesting to me, in that it provides something that is “good enough” > without all the hassles around WPA-ent. We get the user off of an open > network, but provide easy on-boarding for the user and their devices. > > I agree that students may not know they should care, but I’m not sure it’s > the university’s job to educate them i.e. they are adults, and we don’t go > round them up to make sure they attend class. Our students only care about > connecting to the WiFi, and even if we try to explain why it’s better, there > is only a small percentage that care… the same can be said for staff/faculty. > > I also shy away from saying, “…provide the secure option.” since it implies > everything they do is now secure, which it is not. > > I do agree that providing both options is a good idea, but my own evidence > shows that if the user’s chrome-cast is in the device-net, they will put > their laptop there to so that they have access to it. > > Jeff > > From: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel" > Reply-To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Date: Friday, September 4, 2015 at 1:31 PM > To: "wireless-lan@listserv.educause.edu > <mailto:wireless-lan@listserv.educause.edu>" > Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > dorms- quick Survey > > The difference between us and a McDonalds or Starbucks is that we are the > student's residence. They can't as easily just wait or go elsewhere in order > to do things that really should not be done on an open wifi connection. > > Additionally, this is the first encounter with the issue for many students. > They haven't yet had a chance to know that they should care. Therefore, I do > believe it is our responsibility to provide the secure option and educate our > students on the importance of using it. > > At the same time, college students are supposedly adults now, and capable of > making their own decisions, and so I try to provide both options (we really > do have an completely open SSID), along with some education and a nudge via > SSID naming that the secure SSID may be "better" in some ephemeral way. > > > > > > Joel Coehoorn > Director of Information Technology > 402.363.5603 > jcoeho...@york.edu <mailto:jcoeho...@york.edu> > The mission of York College is to transform lives through Christ-centered > education and to equip students for lifelong service to God, family, and > society > > On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken <frans.pan...@surfnet.nl > <mailto:frans.pan...@surfnet.nl>> wrote: > Jeff, > > Jeffrey D. Sessler schreef op 04/09/15 om 20:55: > > Just to turn this on it’s ear a bit... > > > > Why not go back to an open network for student devices, with the same EULA > > as they’d get be it at a Starbucks, McDonalds, hotel, or convention center? > > Why are we (my self included) so hell bent on student devices connecting > > via WPA-Ent and all the challenges associated with accommodating devices > > that can’t? > Basically, because you do not know who is behind the device if this user > does something that conflicts with any of the policies (e.g., security > to name one). > > > > > > Does data exist that shows all of this overhead we’ve created has had any > > measurable benefit (for the cost), especially when the same users aren’t > > concerned about over-the-air security when at the above mentioned places? > Regardless of the numbers, I will tell you it was worth it. > > Inmagine the blames your institute copes with if some one decides to put > a rogue access point in between that cathes all kinds of privacy data? > The end-user will blame the institue because it happended there! > > Note that there are easy out-of-the-box tools that are dedicated for > these kind of attacks and easy to set-up, even for a 12 year old. For > example, have a look at pineapple: https://www.wifipineapple.com/ > <https://www.wifipineapple.com/> > (very usefull to play with!) > > Or Nethunter, that uses Linux Kali and is installed on a simple phone or > tablet (http://www.nethunter.com/ <http://www.nethunter.com/>). > > > > > Why do we care so much? Is there some middle-ground that is “good enough” > > but provides almost the same experience as at home? > Seriously, you have an open network at home?? You login with your bank? > Ever hear of SSL strip (if not, I recommend to Google it and watch that > little slot in your browser continously) > > > > > Would our efforts be better spent implementing other beneficial > > technologies such location-aware WiFi, where after the student connects all > > their AppleTV, TimeMachine, and Chromecast devices, the network is smart > > enough to provide them visibility of only those devices when in/near the > > same location e.g. Location-aware bonjour? > I hope the arguments above convinced you. If not, I think I can think of > some more... > > -Frans > > > > > > > > Jeff > > > > > > On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group > > Listserv on behalf of Lee H Badman" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of lhbad...@syr.edu > > <mailto:lhbad...@syr.edu>> wrote: > > > >> Where it gets interesting- broadcast and single class C required. But- > >> this is a great summary of requirements. > >> > >> Lee Badman | Network Architect > >> Information Technology Services > >> 206 Machinery Hall > >> 120 Smith Drive > >> Syracuse, New York 13244 > >> t 315.443.3003 <tel:315.443.3003> f 315.443.4325 <tel:315.443.4325> e > >> lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu > >> <http://its.syr.edu/> > >> SYRACUSE UNIVERSITY > >> syr.edu <http://syr.edu/> > >> > >> -----Original Message----- > >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Johnson, Neil M > >> Sent: Friday, September 04, 2015 10:46 AM > >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the > >> dorms- quick Survey > >> > >> Here is my first pass at requirements: > >> > >> 1. The service must prevent or discourage devices that ARE capable of > >> using 802.1x authentication from using the service. > >> > >> 2. The service should provide some sort of traceability of devices > >> back to their owners. > >> > >> 3. The service must provide some method to deny access to an > >> individual device. > >> > >> 4. The service must be easy enough to use that the average student can > >> connect a device to the network in 10-15 minutes without requiring > >> assistance from ITS. > >> > >> 5. The service must restrict access to only authorized University > >> customers. > >> > >> 6. In the residence Halls, the service must support most the most > >> common consumer devices that students might bring to campus > >> > >> > >> We are also looking at a “Device Net” for campus for other devices that > >> may not do 802.1X (freezer monitors, digital signage, instrumentation, > >> etc.). > >> > >> For the residence hall device net we are thinking about blocking all > >> access to campus resources and just allowing internet access. > >> > >> For the campus device net we thinking about RFC 1918 space restricting the > >> deivces to on campus resources only. > >> > >> -- > >> Neil Johnson > >> Network Engineer > >> The University of Iowa > >> Phone: 319 384-0938 > >> Fax: 319 335-2951 > >> E-Mail: neil-john...@uiowa.edu <mailto:neil-john...@uiowa.edu> > >> > >> > >> > >>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) > >>> <bosbo...@liberty.edu <mailto:bosbo...@liberty.edu>> wrote: > >>> > >>> What are you calling a Device Net? > >>> > >>> We have an open SSID with a custom captive portal using the ClearPass > >>> eTIPS API. > >>> > >>> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect > >>> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with > >>> AirGroup device registration for Apple-TV) and for permitting non-802.1X > >>> network access, blocking out internal web server & blackboard servers. If > >>> devices try to go to these sites, they are redirected to Cloudpath > >>> XpressConnect Wizard. > >>> > >>> I am leaving on vacation for a week, so it may take me a while to resond > >>> further > >>> > >>> Bruce Osborne > >>> Wireless Engineer > >>> IT Infrastructure & Media Solutions > >>> > >>> (434) 592-4229 <tel:%28434%29%20592-4229> > >>> > >>> LIBERTY UNIVERSITY > >>> Training Champions for Christ since 1971 > >>> > >>> -----Original Message----- > >>> From: Johnson, Neil M [mailto:neil-john...@uiowa.edu > >>> <mailto:neil-john...@uiowa.edu>] > >>> Sent: Thursday, September 3, 2015 12:08 PM > >>> Subject: Re: Supporting "those other Wi-Fi devices" in the dorms- quick > >>> Survey > >>> > >>> We are investigating a device net at UofI so, > >>> > >>> I would be interested in hearing from anyone who has implemented a Device > >>> Net with Clearpass. > >>> > >>> Thanks. > >>> -Neil > >>> > >>> -- > >>> Neil Johnson > >>> Network Engineer > >>> The University of Iowa > >>> Phone: 319 384-0938 <tel:319%20384-0938> > >>> Fax: 319 335-2951 <tel:319%20335-2951> > >>> E-Mail: neil-john...@uiowa.edu <mailto:neil-john...@uiowa.edu> > >>> > >>> > >>> > >>>> On Sep 3, 2015, at 7:24 AM, Lee H Badman <lhbad...@syr.edu > >>>> <mailto:lhbad...@syr.edu>> wrote: > >>>> > >>>> There is an elegance in your wisdom, Chuck. > >>>> > >>>> > >>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > >>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Chuck Enfield > >>>> Sent: Wednesday, September 02, 2015 5:54 PM > >>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in > >>>> the dorms- quick Survey > >>>> > >>>> Don’t tell me. Ignorance is bliss. Man, am I happy! > >>>> > >>>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv > >>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of David R. Morton > >>>> Sent: Wednesday, September 02, 2015 5:41 PM > >>>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > >>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > >>>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in > >>>> the dorms- quick Survey > >>>> > >>>> Lee, > >>>> > >>>> Are you going to share the results of this survey as well? > >>>> > >>>> David > >>>> > >>>> > >>>> David Morton > >>>> > >>>> Director, Mobile Communications > >>>> Service Owner: Wi-Fi, Mobile & HuskyTV > >>>> University of Washington > >>>> dmor...@u.washington.edu <mailto:dmor...@u.washington.edu> > >>>> tel 206.221.7814 <tel:206.221.7814> > >>>> > >>>> On Sep 2, 2015, at 9:50 AM, Lee H Badman <lhbad...@syr.edu > >>>> <mailto:lhbad...@syr.edu>> wrote: > >>>> > >>>> As we look forward in how we service our residential spaces for Wi-Fi, > >>>> I’ve put together a quick survey on if/what other schools are doing > >>>> (and not doing) for supporting the perplexing gadgets (TVs, games, > >>>> entertainment dongles, etc) over Wi-Fi. Please consider contributing at > >>>> > >>>> https://www.quicksurveys.com/s/Wc92H > >>>> <https://www.quicksurveys.com/s/Wc92H> > >>>> > >>>> I’ll run this for two weeks, will post just a couple more invites on > >>>> each list in that period (so you know to expect a couple more… kind of > >>>> advance spam warning) and will open the results page up for both lists > >>>> at the end. I know I’m not the only one contemplating these questions. > >>>> Should take minutes to sail through, but decent participation could > >>>> really help others in their own thoughts about this challenging paradigm. > >>>> > >>>> > >>>> > >>>> Thanks in advance! > >>>> > >>>> > >>>> > >>>> Lee Badman | Network Architect > >>>> Information Technology Services > >>>> 206 Machinery Hall > >>>> 120 Smith Drive > >>>> Syracuse, New York 13244 > >>>> t 315.443.3003 <tel:315.443.3003> f 315.443.4325 <tel:315.443.4325> > >>>> e lhbad...@syr.edu <mailto:lhbad...@syr.edu> w its.syr.edu > >>>> <http://its.syr.edu/> > >>>> SYRACUSE UNIVERSITY > >>>> syr.edu <http://syr.edu/> > >>>> > >>>> > >>>> > >>>> ********** Participation and subscription information for this EDUCAUSE > >>>> Constituent Group discussion list can be found at > >>>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > >>>> > >>>> ********** Participation and subscription information for this EDUCAUSE > >>>> Constituent Group discussion list can be found at > >>>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > >>>> ********** Participation and subscription information for this EDUCAUSE > >>>> Constituent Group discussion list can be found at > >>>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > >>>> ********** Participation and subscription information for this EDUCAUSE > >>>> Constituent Group discussion list can be found at > >>>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > >>> > >>> ********** > >>> Participation and subscription information for this EDUCAUSE Constituent > >>> Group discussion list can be found athttp://www.educause.edu/groups/ > >>> <http://www.educause.edu/groups/>. > >>> > >>> > >>> ********** > >>> Participation and subscription information for this EDUCAUSE Constituent > >>> Group discussion list can be found athttp://www.educause.edu/groups/ > >>> <http://www.educause.edu/groups/>. > >>> > >> > >> ********** > >> Participation and subscription information for this EDUCAUSE Constituent > >> Group discussion list can be found athttp://www.educause.edu/groups/ > >> <http://www.educause.edu/groups/>. > >> > >> > >> ********** > >> Participation and subscription information for this EDUCAUSE Constituent > >> Group discussion list can be found athttp://www.educause.edu/groups/ > >> <http://www.educause.edu/groups/>. > >> > > ********** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found athttp://www.educause.edu/groups/ > > <http://www.educause.edu/groups/>. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found athttp://www.educause.edu/groups/ > <http://www.educause.edu/groups/>. > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.